Skip to content

Instantly share code, notes, and snippets.

@david-marconis

david-marconis/azure-vpn-dns-fix.md

Created April 30, 2025 11:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save david-marconis/8b4cb15d480c683cd65865a359066d68 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save david-marconis/8b4cb15d480c683cd65865a359066d68 to your computer and use it in GitHub Desktop.
Download ZIP
Fix Azure VPN DNS issues on Linux
Raw
azure-vpn-dns-fix.md

Issue

This guide helps you fix network issues with the Azure VPN Client on a Linux computer running systemd-resolved (like Ubuntu) to connect to a virtual network using a VPN Gateway point-to-site (P2S) VPN and Microsoft Entra ID authentication. Issues can be inconsistencies when trying to reach Azure services like KeyVault which are protected by Azure VPN via a Private Link. This can occur when systemd-resolved does not resolve DNS using the Azure VPN connection created by the Azure VPN Client.

Troubleshooting

To check if this issue affects you check to see what dns you system uses to resolve an Azure resource with. The example used here is a KeyVault named my-key-vault.

dig my-key-vault.vault.azure.net

The answer section should include an A record pointing to a local IP address, such as 10.32.2.9. If you are able to access the resource intermittently, it might be due to round-robin DNS behavior. If you receive a correct answer section sometimes and an incorrect one at other times, this is likely the cause.

Here is an example of a bad answer section:

;; ANSWER SECTION:
my-key-vault.vault.azure.net. 60 IN	CNAME	my-key-vault.privatelink.vaultcore.azure.net.
my-key-vault.privatelink.vaultcore.azure.net. 60 IN CNAME data-prod-weu.vaultcore.azure.net.
data-prod-weu.vaultcore.azure.net. 41 IN CNAME	data-prod-weu-region.vaultcore.azure.net.
data-prod-weu-region.vaultcore.azure.net. 41 IN	CNAME ams.prd.r.kv.aadg.msidentity.com.
ams.prd.r.kv.aadg.msidentity.com. 281 IN CNAME	ams.tm.prd.r.kv.aadg.trafficmanager.net.
ams.tm.prd.r.kv.aadg.trafficmanager.net. 281 IN	A 13.69.111.192
ams.tm.prd.r.kv.aadg.trafficmanager.net. 281 IN	A 52.236.189.80
ams.tm.prd.r.kv.aadg.trafficmanager.net. 281 IN	A 13.69.64.72

Here is an example of a good answer section:

;; ANSWER SECTION:
my-key-vault.vault.azure.net. 60 IN	CNAME	my-key-vault.privatelink.vaultcore.azure.net.
my-key-vault.privatelink.vaultcore.azure.net. 10 IN A 10.32.2.9

Solution

In order to fix this, we force systemd-resolved to use the correct DNS.

  1. Connect to Azure VPN using the Azure VPN Client
  2. Run the following command to figure out the IP used by the VPN client: 
    resolvectl dns
    It should return something like: Link XX (vpn-profile-name): 10.0.25.4 Where vpn-profile-name is the name of the VPN profile in Azure VPN CLient.
  3. Create a new entry for the resources you need to connect to, for example for all azure key vaults: 
    # Ensure config dir is present
mkdir -p /etc/systemd/resolved.conf.d
# Add new entry
echo "[Resolve]
DNS=10.0.25.4
Domains=~vault.azure.net ~vaultcore.azure.net" | sudo tee /etc/systemd/resolved.conf.d/azure-dns.conf > /dev/null
    Replace DNS with the IP obtained from the resolvectl command, and Domains with whatever resources you are trying to access.
  4. Restart systemd-resolved: 
    sudo systemctl restart systemd-resolved
  5. Verify with dig that it is working: 
    dig my-key-vault.vault.azure.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment